package com.profgj.profgj.utils;

import javax.servlet.http.HttpServletRequest;

/**
 * 防止SQL注入工具类
 */
public class AntiSQLInjectionUtils {

    /**
     * SQL注入字符
     */
    public final static String regex = "'|and|exec|execute|insert|select|delete|update|count|drop|*|%|chr|mid|truncate|" +
            "declare|sitename|net user|xp_cmdshell|;|+|,|like'|create|from|grant|group_concat|column_name|" +
            "information_schema.columns|table_schema|union|where|order|by|*|--|like|//|%|#";

    /**
     * 把SQL关键字替换为空字符串
     * @param param
     * @return
     */
    public static boolean filter(String param) {

        Boolean regx = false;

        if (param == null) {
            return false;
        }
        /**
         * 字符串分割 |
         */
        String[] split = regex.split("\\|");
        for(String sp:split){

            /**
             * 匹配到返回true
             */
            if(param.contains(sp)){
                return true;
            }

        }

        /**
         * 没有匹配到返回false
         */
        return false;
    }


    /**
     * 返回经过防注入处理的字符串
     *
     * @param request
     * @return
     */
    public static boolean getParameterOrURI(HttpServletRequest request ) {
        return AntiSQLInjectionUtils.filter(request.getRequestURI());
    }
}